ADFS Support for SharePoint Adaptor

ADFS Support for SharePoint Adaptor

[JohnL, 2014-04-02 21:47:14]

Just peeking, not looking at logic. ;-)

John L

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
File src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java:36:
// Wrapper class to provide basic SAML finctionality which can be used by
Use javadoc, "finctionality" => "functionality", "diffrent" => "different", add
a period.

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java:38:
public class SAMLAuthenticationHandler implements AuthenticationHandler {
"SamlAuthenticationHandler"

https://codereview.appspot.com/83730043/diff/1/test/com/google/enterprise/ada...
File
test/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java
(right):

https://codereview.appspot.com/83730043/diff/1/test/com/google/enterprise/ada...
test/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java:30:
public class SAMLAuthenticationHandlerTest {
"SamlAuthenticationHandlerTest"

[ondrejnovak, 2014-04-03 08:56:21]

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:50:
private final String login = "/_layouts/Authenticate.aspx";
I don't think we should hardcode this

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:103:
stsendpoint = sts + "/adfs/services/trust/2005/usernamemixed";
I don't think you should hardcode this, what if I want different STS URL (e.g.
SharePoint online)

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:115:
requestProperties.put("Expect", "100-continue");
I guess you put it here because .NET does send this header by default, I would
just drop it.

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:116:
requestProperties.put("Connection", "Keep-Alive");
I would drop this

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:117:
requestProperties.put("Content-Length", Integer.toString(saml.length()));
I would move this to the SAMLAuthenticationHandler class

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:130:
String url = endpoint + "/_trust";
not fan of the hardcoding again

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:144:
requestProperties.put("User-Agent", "Mozilla/5.0 (compatible; "
why do you think we need this - in my tests, this is not necessary

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:153:
private String generateSAMLRequest() {
At least & should be handled to avoid XML issues

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:166: =
document.getElementsByTagName("t:RequestSecurityTokenResponse");
You are relying on the namespace alias to be always "t". You should use
getElementsByTagNameNS()

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:170:
return null;
you should also throw an exception here and not return null

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:173:
String token = getOuterXml(responseToken);
I don't understand what this is for? Why don't you just run
nodex.item(0).getTextContent()

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
File src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java:121:
connection.addRequestProperty(key, connectionProperties.get(key));
I think content-length should be set here by default and not passed by the user.

[Tanmay Vartak, 2014-04-10 17:26:07]

Hi Ondra,

Thanks for review. I have added my reply to some of your comments. Most of them
I have implemented. I will upload a patch soon once we decide on approach to
specify various properties.

Regards,
Tanmay

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:50:
private final String login = "/_layouts/Authenticate.aspx";
/_layouts/Authenticate.aspx is part of regular claims processing.
http://msdn.microsoft.com/en-us/library/hh147177(v=office.14).aspx#SPO_RA_Cla...

Do you think we can have this as a default value? which can be overridden by
either use of system.property or via adaptopr config.properties?
On 2014/04/03 08:56:22, ondrejnovak wrote:
> I don't think we should hardcode this

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:103:
stsendpoint = sts + "/adfs/services/trust/2005/usernamemixed";
For SharePoint Online, we need to use little different implementation (need to
refer different node to extract token).

One question I have is, if we allow user to specify different endpoint here,
that might not work with reqXML we have here.
On 2014/04/03 08:56:22, ondrejnovak wrote:
> I don't think you should hardcode this, what if I want different STS URL (e.g.
> SharePoint online)

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:115:
requestProperties.put("Expect", "100-continue");
removed. These settings were required if I want to use CookieManager object to
grab cookie. But I changed implementation.
On 2014/04/03 08:56:22, ondrejnovak wrote:
> I guess you put it here because .NET does send this header by default, I would
> just drop it.

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:116:
requestProperties.put("Connection", "Keep-Alive");
Done.
On 2014/04/03 08:56:22, ondrejnovak wrote:
> I would drop this

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:117:
requestProperties.put("Content-Length", Integer.toString(saml.length()));
Done
On 2014/04/03 08:56:22, ondrejnovak wrote:
> I would move this to the SAMLAuthenticationHandler class

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:130:
String url = endpoint + "/_trust";
Again this was specific to ADFS implementation. But we can override it.
On 2014/04/03 08:56:22, ondrejnovak wrote:
> not fan of the hardcoding again

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:144:
requestProperties.put("User-Agent", "Mozilla/5.0 (compatible; "
Again due to CookieManager object. Removed.
On 2014/04/03 08:56:22, ondrejnovak wrote:
> why do you think we need this - in my tests, this is not necessary

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:153:
private String generateSAMLRequest() {
I have updated reqXML to use CDATA to escape any special characters in username
and password.
On 2014/04/03 08:56:22, ondrejnovak wrote:
> At least & should be handled to avoid XML issues

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:166: =
document.getElementsByTagName("t:RequestSecurityTokenResponse");
Done.
On 2014/04/03 08:56:22, ondrejnovak wrote:
> You are relying on the namespace alias to be always "t". You should use
> getElementsByTagNameNS()

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:170:
return null;
Done.
On 2014/04/03 08:56:22, ondrejnovak wrote:
> you should also throw an exception here and not return null

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:173:
String token = getOuterXml(responseToken);
getTextContent() gets the text value for XML node. So it is skipping all XML
tags. Also we need entire "RequestSecurityTokenResponse" XML including
"<t:RequestSecurityTokenResponse>" and "</t:RequestSecurityTokenResponse>"

Do we have anything in JAVA like in .NET XmlNode.OuterXml?
On 2014/04/03 08:56:22, ondrejnovak wrote:
> I don't understand what this is for? Why don't you just run
> nodex.item(0).getTextContent()

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
File src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java:36:
// Wrapper class to provide basic SAML finctionality which can be used by
On 2014/04/02 21:47:14, John L wrote:
> Use javadoc, "finctionality" => "functionality", "diffrent" => "different",
add
> a period.

Done.

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java:38:
public class SAMLAuthenticationHandler implements AuthenticationHandler {
On 2014/04/02 21:47:14, John L wrote:
> "SamlAuthenticationHandler"

Done.

https://codereview.appspot.com/83730043/diff/1/src/com/google/enterprise/adap...
src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java:121:
connection.addRequestProperty(key, connectionProperties.get(key));
Done
On 2014/04/03 08:56:22, ondrejnovak wrote:
> I think content-length should be set here by default and not passed by the
user.

https://codereview.appspot.com/83730043/diff/1/test/com/google/enterprise/ada...
File
test/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java
(right):

https://codereview.appspot.com/83730043/diff/1/test/com/google/enterprise/ada...
test/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java:30:
public class SAMLAuthenticationHandlerTest {
On 2014/04/02 21:47:14, John L wrote:
> "SamlAuthenticationHandlerTest"

Done.

[ondrejnovak, 2014-04-11 11:25:24]

I think keeping these as default with the option to override it in
adaptor-config.properties would be best.

Thanks

Ondra


On Thu, Apr 10, 2014 at 7:26 PM, <tvartak@google.com> wrote:

> Hi Ondra,
>
> Thanks for review. I have added my reply to some of your comments. Most
> of them I have implemented. I will upload a patch soon once we decide on
> approach to specify various properties.
>
> Regards,
> Tanmay
>
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
> File
> src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
> (right):
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode50
> src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:50:
> private final String login = "/_layouts/Authenticate.aspx";
> /_layouts/Authenticate.aspx is part of regular claims processing.
> http://msdn.microsoft.com/en-us/library/hh147177(v=office.
> 14).aspx#SPO_RA_ClaimsSequence
>
> Do you think we can have this as a default value? which can be
> overridden by either use of system.property or via adaptopr
> config.properties?
> On 2014/04/03 08:56:22, ondrejnovak wrote:
>
>> I don't think we should hardcode this
>>
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode103
> src/com/google/enterprise/adaptor/sharepoint/
> AdfsHandshakeManager.java:103:
> stsendpoint = sts + "/adfs/services/trust/2005/usernamemixed";
> For SharePoint Online, we need to use little different implementation
> (need to refer different node to extract token).
>
> One question I have is, if we allow user to specify different endpoint
> here, that might not work with reqXML we have here.
> On 2014/04/03 08:56:22, ondrejnovak wrote:
>
>> I don't think you should hardcode this, what if I want different STS
>>
> URL (e.g.
>
>> SharePoint online)
>>
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode115
> src/com/google/enterprise/adaptor/sharepoint/
> AdfsHandshakeManager.java:115:
> requestProperties.put("Expect", "100-continue");
> removed. These settings were required if I want to use CookieManager
> object to grab cookie. But I changed implementation.
> On 2014/04/03 08:56:22, ondrejnovak wrote:
>
>> I guess you put it here because .NET does send this header by default,
>>
> I would
>
>> just drop it.
>>
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode116
> src/com/google/enterprise/adaptor/sharepoint/
> AdfsHandshakeManager.java:116:
> requestProperties.put("Connection", "Keep-Alive");
> Done.
> On 2014/04/03 08:56:22, ondrejnovak wrote:
>
>> I would drop this
>>
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode117
> src/com/google/enterprise/adaptor/sharepoint/
> AdfsHandshakeManager.java:117:
> requestProperties.put("Content-Length",
> Integer.toString(saml.length()));
> Done
> On 2014/04/03 08:56:22, ondrejnovak wrote:
>
>> I would move this to the SAMLAuthenticationHandler class
>>
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode130
> src/com/google/enterprise/adaptor/sharepoint/
> AdfsHandshakeManager.java:130:
> String url = endpoint + "/_trust";
> Again this was specific to ADFS implementation. But we can override it.
> On 2014/04/03 08:56:22, ondrejnovak wrote:
>
>> not fan of the hardcoding again
>>
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode144
> src/com/google/enterprise/adaptor/sharepoint/
> AdfsHandshakeManager.java:144:
> requestProperties.put("User-Agent", "Mozilla/5.0 (compatible; "
> Again due to CookieManager object. Removed.
> On 2014/04/03 08:56:22, ondrejnovak wrote:
>
>> why do you think we need this - in my tests, this is not necessary
>>
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode153
> src/com/google/enterprise/adaptor/sharepoint/
> AdfsHandshakeManager.java:153:
> private String generateSAMLRequest() {
> I have updated reqXML to use CDATA to escape any special characters in
> username and password.
> On 2014/04/03 08:56:22, ondrejnovak wrote:
>
>> At least & should be handled to avoid XML issues
>>
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode166
> src/com/google/enterprise/adaptor/sharepoint/
> AdfsHandshakeManager.java:166:
> = document.getElementsByTagName("t:RequestSecurityTokenResponse");
> Done.
> On 2014/04/03 08:56:22, ondrejnovak wrote:
>
>> You are relying on the namespace alias to be always "t". You should
>>
> use
>
>> getElementsByTagNameNS()
>>
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode170
> src/com/google/enterprise/adaptor/sharepoint/
> AdfsHandshakeManager.java:170:
> return null;
> Done.
> On 2014/04/03 08:56:22, ondrejnovak wrote:
>
>> you should also throw an exception here and not return null
>>
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode173
> src/com/google/enterprise/adaptor/sharepoint/
> AdfsHandshakeManager.java:173:
> String token = getOuterXml(responseToken);
> getTextContent() gets the text value for XML node. So it is skipping all
> XML tags. Also we need entire "RequestSecurityTokenResponse" XML
> including "<t:RequestSecurityTokenResponse>" and
> "</t:RequestSecurityTokenResponse>"
>
> Do we have anything in JAVA like in .NET XmlNode.OuterXml?
> On 2014/04/03 08:56:22, ondrejnovak wrote:
>
>> I don't understand what this is for? Why don't you just run
>> nodex.item(0).getTextContent()
>>
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java
> File
> src/com/google/enterprise/adaptor/sharepoint/
> SAMLAuthenticationHandler.java
> (right):
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
> java#newcode36
> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
> java:36:
> // Wrapper class to provide basic SAML finctionality which can be used
> by
> On 2014/04/02 21:47:14, John L wrote:
>
>> Use javadoc, "finctionality" => "functionality", "diffrent" =>
>>
> "different", add
>
>> a period.
>>
>
> Done.
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
> java#newcode38
> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
> java:38:
> public class SAMLAuthenticationHandler implements AuthenticationHandler
> {
> On 2014/04/02 21:47:14, John L wrote:
>
>> "SamlAuthenticationHandler"
>>
>
> Done.
>
> https://codereview.appspot.com/83730043/diff/1/src/com/
> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
> java#newcode121
> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
> java:121:
> connection.addRequestProperty(key, connectionProperties.get(key));
> Done
> On 2014/04/03 08:56:22, ondrejnovak wrote:
>
>> I think content-length should be set here by default and not passed by
>>
> the user.
>
> https://codereview.appspot.com/83730043/diff/1/test/com/
> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java
> File
> test/com/google/enterprise/adaptor/sharepoint/
> SAMLAuthenticationHandlerTest.java
> (right):
>
> https://codereview.appspot.com/83730043/diff/1/test/com/
> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.
> java#newcode30
> test/com/google/enterprise/adaptor/sharepoint/
> SAMLAuthenticationHandlerTest.java:30:
> public class SAMLAuthenticationHandlerTest {
> On 2014/04/02 21:47:14, John L wrote:
>
>> "SamlAuthenticationHandlerTest"
>>
>
> Done.
>
> https://codereview.appspot.com/83730043/
>

[pjo, 2014-04-11 18:42:50]

+1


- technology's compounding interest
-


On Fri, Apr 11, 2014 at 4:25 AM, Ondrej Novak <ondrejnovak@google.com>wrote:

> I think keeping these as default with the option to override it in
> adaptor-config.properties would be best.
>
> Thanks
>
> Ondra
>
>
> On Thu, Apr 10, 2014 at 7:26 PM, <tvartak@google.com> wrote:
>
>> Hi Ondra,
>>
>> Thanks for review. I have added my reply to some of your comments. Most
>> of them I have implemented. I will upload a patch soon once we decide on
>> approach to specify various properties.
>>
>> Regards,
>> Tanmay
>>
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
>> File
>> src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
>> (right):
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode50
>> src/com/google/enterprise/adaptor/sharepoint/
>> AdfsHandshakeManager.java:50:
>> private final String login = "/_layouts/Authenticate.aspx";
>> /_layouts/Authenticate.aspx is part of regular claims processing.
>> http://msdn.microsoft.com/en-us/library/hh147177(v=office.
>> 14).aspx#SPO_RA_ClaimsSequence
>>
>> Do you think we can have this as a default value? which can be
>> overridden by either use of system.property or via adaptopr
>> config.properties?
>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>
>>> I don't think we should hardcode this
>>>
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode103
>> src/com/google/enterprise/adaptor/sharepoint/
>> AdfsHandshakeManager.java:103:
>> stsendpoint = sts + "/adfs/services/trust/2005/usernamemixed";
>> For SharePoint Online, we need to use little different implementation
>> (need to refer different node to extract token).
>>
>> One question I have is, if we allow user to specify different endpoint
>> here, that might not work with reqXML we have here.
>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>
>>> I don't think you should hardcode this, what if I want different STS
>>>
>> URL (e.g.
>>
>>> SharePoint online)
>>>
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode115
>> src/com/google/enterprise/adaptor/sharepoint/
>> AdfsHandshakeManager.java:115:
>> requestProperties.put("Expect", "100-continue");
>> removed. These settings were required if I want to use CookieManager
>> object to grab cookie. But I changed implementation.
>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>
>>> I guess you put it here because .NET does send this header by default,
>>>
>> I would
>>
>>> just drop it.
>>>
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode116
>> src/com/google/enterprise/adaptor/sharepoint/
>> AdfsHandshakeManager.java:116:
>> requestProperties.put("Connection", "Keep-Alive");
>> Done.
>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>
>>> I would drop this
>>>
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode117
>> src/com/google/enterprise/adaptor/sharepoint/
>> AdfsHandshakeManager.java:117:
>> requestProperties.put("Content-Length",
>> Integer.toString(saml.length()));
>> Done
>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>
>>> I would move this to the SAMLAuthenticationHandler class
>>>
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode130
>> src/com/google/enterprise/adaptor/sharepoint/
>> AdfsHandshakeManager.java:130:
>> String url = endpoint + "/_trust";
>> Again this was specific to ADFS implementation. But we can override it.
>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>
>>> not fan of the hardcoding again
>>>
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode144
>> src/com/google/enterprise/adaptor/sharepoint/
>> AdfsHandshakeManager.java:144:
>> requestProperties.put("User-Agent", "Mozilla/5.0 (compatible; "
>> Again due to CookieManager object. Removed.
>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>
>>> why do you think we need this - in my tests, this is not necessary
>>>
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode153
>> src/com/google/enterprise/adaptor/sharepoint/
>> AdfsHandshakeManager.java:153:
>> private String generateSAMLRequest() {
>> I have updated reqXML to use CDATA to escape any special characters in
>> username and password.
>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>
>>> At least & should be handled to avoid XML issues
>>>
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode166
>> src/com/google/enterprise/adaptor/sharepoint/
>> AdfsHandshakeManager.java:166:
>> = document.getElementsByTagName("t:RequestSecurityTokenResponse");
>> Done.
>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>
>>> You are relying on the namespace alias to be always "t". You should
>>>
>> use
>>
>>> getElementsByTagNameNS()
>>>
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode170
>> src/com/google/enterprise/adaptor/sharepoint/
>> AdfsHandshakeManager.java:170:
>> return null;
>> Done.
>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>
>>> you should also throw an exception here and not return null
>>>
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode173
>> src/com/google/enterprise/adaptor/sharepoint/
>> AdfsHandshakeManager.java:173:
>> String token = getOuterXml(responseToken);
>> getTextContent() gets the text value for XML node. So it is skipping all
>> XML tags. Also we need entire "RequestSecurityTokenResponse" XML
>> including "<t:RequestSecurityTokenResponse>" and
>> "</t:RequestSecurityTokenResponse>"
>>
>> Do we have anything in JAVA like in .NET XmlNode.OuterXml?
>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>
>>> I don't understand what this is for? Why don't you just run
>>> nodex.item(0).getTextContent()
>>>
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java
>> File
>> src/com/google/enterprise/adaptor/sharepoint/
>> SAMLAuthenticationHandler.java
>> (right):
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
>> java#newcode36
>> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
>> java:36:
>> // Wrapper class to provide basic SAML finctionality which can be used
>> by
>> On 2014/04/02 21:47:14, John L wrote:
>>
>>> Use javadoc, "finctionality" => "functionality", "diffrent" =>
>>>
>> "different", add
>>
>>> a period.
>>>
>>
>> Done.
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
>> java#newcode38
>> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
>> java:38:
>> public class SAMLAuthenticationHandler implements AuthenticationHandler
>> {
>> On 2014/04/02 21:47:14, John L wrote:
>>
>>> "SamlAuthenticationHandler"
>>>
>>
>> Done.
>>
>> https://codereview.appspot.com/83730043/diff/1/src/com/
>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
>> java#newcode121
>> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
>> java:121:
>> connection.addRequestProperty(key, connectionProperties.get(key));
>> Done
>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>
>>> I think content-length should be set here by default and not passed by
>>>
>> the user.
>>
>> https://codereview.appspot.com/83730043/diff/1/test/com/
>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java
>> File
>> test/com/google/enterprise/adaptor/sharepoint/
>> SAMLAuthenticationHandlerTest.java
>> (right):
>>
>> https://codereview.appspot.com/83730043/diff/1/test/com/
>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.
>> java#newcode30
>> test/com/google/enterprise/adaptor/sharepoint/
>> SAMLAuthenticationHandlerTest.java:30:
>> public class SAMLAuthenticationHandlerTest {
>> On 2014/04/02 21:47:14, John L wrote:
>>
>>> "SamlAuthenticationHandlerTest"
>>>
>>
>> Done.
>>
>> https://codereview.appspot.com/83730043/
>>
>
>

[Tanmay Vartak, 2014-04-11 18:48:52]

Yes I have implemented same. New patch will be out by EOD


On Fri, Apr 11, 2014 at 11:42 AM, PJ <pjo@google.com> wrote:

> +1
>
>
> - technology's compounding interest
> -
>
>
> On Fri, Apr 11, 2014 at 4:25 AM, Ondrej Novak <ondrejnovak@google.com>wrote:
>
>> I think keeping these as default with the option to override it in
>> adaptor-config.properties would be best.
>>
>> Thanks
>>
>> Ondra
>>
>>
>> On Thu, Apr 10, 2014 at 7:26 PM, <tvartak@google.com> wrote:
>>
>>> Hi Ondra,
>>>
>>> Thanks for review. I have added my reply to some of your comments. Most
>>> of them I have implemented. I will upload a patch soon once we decide on
>>> approach to specify various properties.
>>>
>>> Regards,
>>> Tanmay
>>>
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
>>> File
>>> src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
>>> (right):
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#newcode50
>>> src/com/google/enterprise/adaptor/sharepoint/
>>> AdfsHandshakeManager.java:50:
>>> private final String login = "/_layouts/Authenticate.aspx";
>>> /_layouts/Authenticate.aspx is part of regular claims processing.
>>> http://msdn.microsoft.com/en-us/library/hh147177(v=office.
>>> 14).aspx#SPO_RA_ClaimsSequence
>>>
>>> Do you think we can have this as a default value? which can be
>>> overridden by either use of system.property or via adaptopr
>>> config.properties?
>>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>>
>>>> I don't think we should hardcode this
>>>>
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#
>>> newcode103
>>> src/com/google/enterprise/adaptor/sharepoint/
>>> AdfsHandshakeManager.java:103:
>>> stsendpoint = sts + "/adfs/services/trust/2005/usernamemixed";
>>> For SharePoint Online, we need to use little different implementation
>>> (need to refer different node to extract token).
>>>
>>> One question I have is, if we allow user to specify different endpoint
>>> here, that might not work with reqXML we have here.
>>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>>
>>>> I don't think you should hardcode this, what if I want different STS
>>>>
>>> URL (e.g.
>>>
>>>> SharePoint online)
>>>>
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#
>>> newcode115
>>> src/com/google/enterprise/adaptor/sharepoint/
>>> AdfsHandshakeManager.java:115:
>>> requestProperties.put("Expect", "100-continue");
>>> removed. These settings were required if I want to use CookieManager
>>> object to grab cookie. But I changed implementation.
>>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>>
>>>> I guess you put it here because .NET does send this header by default,
>>>>
>>> I would
>>>
>>>> just drop it.
>>>>
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#
>>> newcode116
>>> src/com/google/enterprise/adaptor/sharepoint/
>>> AdfsHandshakeManager.java:116:
>>> requestProperties.put("Connection", "Keep-Alive");
>>> Done.
>>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>>
>>>> I would drop this
>>>>
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#
>>> newcode117
>>> src/com/google/enterprise/adaptor/sharepoint/
>>> AdfsHandshakeManager.java:117:
>>> requestProperties.put("Content-Length",
>>> Integer.toString(saml.length()));
>>> Done
>>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>>
>>>> I would move this to the SAMLAuthenticationHandler class
>>>>
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#
>>> newcode130
>>> src/com/google/enterprise/adaptor/sharepoint/
>>> AdfsHandshakeManager.java:130:
>>> String url = endpoint + "/_trust";
>>> Again this was specific to ADFS implementation. But we can override it.
>>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>>
>>>> not fan of the hardcoding again
>>>>
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#
>>> newcode144
>>> src/com/google/enterprise/adaptor/sharepoint/
>>> AdfsHandshakeManager.java:144:
>>> requestProperties.put("User-Agent", "Mozilla/5.0 (compatible; "
>>> Again due to CookieManager object. Removed.
>>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>>
>>>> why do you think we need this - in my tests, this is not necessary
>>>>
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#
>>> newcode153
>>> src/com/google/enterprise/adaptor/sharepoint/
>>> AdfsHandshakeManager.java:153:
>>> private String generateSAMLRequest() {
>>> I have updated reqXML to use CDATA to escape any special characters in
>>> username and password.
>>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>>
>>>> At least & should be handled to avoid XML issues
>>>>
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#
>>> newcode166
>>> src/com/google/enterprise/adaptor/sharepoint/
>>> AdfsHandshakeManager.java:166:
>>> = document.getElementsByTagName("t:RequestSecurityTokenResponse");
>>> Done.
>>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>>
>>>> You are relying on the namespace alias to be always "t". You should
>>>>
>>> use
>>>
>>>> getElementsByTagNameNS()
>>>>
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#
>>> newcode170
>>> src/com/google/enterprise/adaptor/sharepoint/
>>> AdfsHandshakeManager.java:170:
>>> return null;
>>> Done.
>>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>>
>>>> you should also throw an exception here and not return null
>>>>
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java#
>>> newcode173
>>> src/com/google/enterprise/adaptor/sharepoint/
>>> AdfsHandshakeManager.java:173:
>>> String token = getOuterXml(responseToken);
>>> getTextContent() gets the text value for XML node. So it is skipping all
>>> XML tags. Also we need entire "RequestSecurityTokenResponse" XML
>>> including "<t:RequestSecurityTokenResponse>" and
>>> "</t:RequestSecurityTokenResponse>"
>>>
>>> Do we have anything in JAVA like in .NET XmlNode.OuterXml?
>>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>>
>>>> I don't understand what this is for? Why don't you just run
>>>> nodex.item(0).getTextContent()
>>>>
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.java
>>> File
>>> src/com/google/enterprise/adaptor/sharepoint/
>>> SAMLAuthenticationHandler.java
>>> (right):
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
>>> java#newcode36
>>> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
>>> java:36:
>>> // Wrapper class to provide basic SAML finctionality which can be used
>>> by
>>> On 2014/04/02 21:47:14, John L wrote:
>>>
>>>> Use javadoc, "finctionality" => "functionality", "diffrent" =>
>>>>
>>> "different", add
>>>
>>>> a period.
>>>>
>>>
>>> Done.
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
>>> java#newcode38
>>> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
>>> java:38:
>>> public class SAMLAuthenticationHandler implements AuthenticationHandler
>>> {
>>> On 2014/04/02 21:47:14, John L wrote:
>>>
>>>> "SamlAuthenticationHandler"
>>>>
>>>
>>> Done.
>>>
>>> https://codereview.appspot.com/83730043/diff/1/src/com/
>>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
>>> java#newcode121
>>> src/com/google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandler.
>>> java:121:
>>> connection.addRequestProperty(key, connectionProperties.get(key));
>>> Done
>>> On 2014/04/03 08:56:22, ondrejnovak wrote:
>>>
>>>> I think content-length should be set here by default and not passed by
>>>>
>>> the user.
>>>
>>> https://codereview.appspot.com/83730043/diff/1/test/com/
>>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.java
>>> File
>>> test/com/google/enterprise/adaptor/sharepoint/
>>> SAMLAuthenticationHandlerTest.java
>>> (right):
>>>
>>> https://codereview.appspot.com/83730043/diff/1/test/com/
>>> google/enterprise/adaptor/sharepoint/SAMLAuthenticationHandlerTest.
>>> java#newcode30
>>> test/com/google/enterprise/adaptor/sharepoint/
>>> SAMLAuthenticationHandlerTest.java:30:
>>> public class SAMLAuthenticationHandlerTest {
>>> On 2014/04/02 21:47:14, John L wrote:
>>>
>>>> "SamlAuthenticationHandlerTest"
>>>>
>>>
>>> Done.
>>>
>>> https://codereview.appspot.com/83730043/
>>>
>>
>>
>

[Tanmay Vartak, 2014-04-11 21:34:28]

With code review comments and live authentication support

[pjo, 2014-04-12 00:45:34]

Thank you.

First quick pass for me.

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:49:
public class AdfsHandshakeManager implements SAMLHandshakeManager{
space before left curly

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:59: final
String trustLocation;
not private?

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:185:
private String generateSAMLRequest() {
generateSamlRequest

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:190:
.replace("[stsrealm]", stsrealm);
not safe:
(1) something has "]]>" in password
(2) something has next key in password

One suggestion, use a string builder and take
care to subsitute cdata ending with
"]]]]><![CDATA[>"

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:208:
log.log(Level.FINE, "ADFS Authentication Token {0}", token);
is it OK to print this?

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:210: }
catch (Exception ex) {
seems to generic

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
File
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:38:
private static final String liveSts
use capitals

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:40:
private static final String liveLoginUrl
use capitals

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:60:
DEFAULT_COOKIE_TIMEOUT_SECONDS, "PASSWORD_MISMATCH");
2 more spaces

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:174:
if("".equals(value)) {
space before left paren

[Tanmay Vartak, 2014-04-14 21:08:54]

With code review comments on patch 2

[Tanmay Vartak, 2014-04-14 21:09:34]

Implemented most of code review comments.

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:49:
public class AdfsHandshakeManager implements SAMLHandshakeManager{
On 2014/04/12 00:45:35, pjo wrote:
> space before left curly

Done.

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:59: final
String trustLocation;
On 2014/04/12 00:45:35, pjo wrote:
> not private?

Done.

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:185:
private String generateSAMLRequest() {
On 2014/04/12 00:45:35, pjo wrote:
> generateSamlRequest

Done.

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:210: }
catch (Exception ex) {
On 2014/04/12 00:45:35, pjo wrote:
> seems to generic

Done.

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
File
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:38:
private static final String liveSts
On 2014/04/12 00:45:35, pjo wrote:
> use capitals

Done.

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:40:
private static final String liveLoginUrl
On 2014/04/12 00:45:35, pjo wrote:
> use capitals

Done.

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:60:
DEFAULT_COOKIE_TIMEOUT_SECONDS, "PASSWORD_MISMATCH");
On 2014/04/12 00:45:35, pjo wrote:
> 2 more spaces

Done.

https://codereview.appspot.com/83730043/diff/20001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:174:
if("".equals(value)) {
On 2014/04/12 00:45:35, pjo wrote:
> space before left paren

Done.

[Tanmay Vartak, 2014-04-15 22:35:18]

Hi PJ / Ondra,

I want to introduce AuthenticationFactory object get appropriate authentication
client, so that it will be easier to test SharePoint adaptor with new
configurations.

So you can continue your review for other changes or hold on your review. I will
upload new patch.

Regards,
Tanmay

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:495:
authenticationClient =  new SharePointFormsAuthenticationHandler(
I want to replace this with a Factory method to make writing unit tests easy.

[pjo, 2014-04-16 20:13:35]

Thank you.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:117:
public Builder (String sharePointUrl, String username,
s/r (/r(/

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:144:
public Builder setTrustLocation (String trustLocation) {
s/n (/n(/

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:150:
return new AdfsHandshakeManager(sharePointUrl, username,
is it ok if trustLocation or login are still null?

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:154: 
remove extra empty line

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:161: =
new HashMap<String, String>();
r u sure this line would be over80?

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:164:
"application/soap+xml; charset=utf-8");
ibid

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:176: +
"&wctx=" + URLEncoder.encode(sharePointUrl + login,"UTF-8")
should we check somewhere earlier that sharePointUrl ends with "/"?

I'm not sure if it has to or not, just a thought.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:200: db =
dbf.newDocumentBuilder();
combine last two lines

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:212:
log.log(Level.FINER, "ADFS Authentication Token {0}", token);
is it OK to log this value? is it sensitive?
just asking.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:238:
if(input == null) {
space before (

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
File
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:49:

remove extra blank line

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:92:
return new LiveAuthenticationHandshakeManager(sharePointUrl, username,
should we check for "login" and stsendpoint being null?

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:124:
log.log(Level.FINER, "Live Authentication Token {0}", token);
is this a sensitive value that can be logged?

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:135:

remove extra blank line

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:149:
private final Map<String, List<String>> headers;
i don't actually get what the comment is saying.
what alternates?

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:153:
this.contents = contents;
check for nulls?

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:154:
this.headers = headers;
what do you think about making copy? not worth it
because is only visible for testing?

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:162:
return headers;
return wrapped in unmodifiable?

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:449:
config.addKey("sts.login", "");
add these to overview.html in source directory pls.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451:
config.addKey("sharepoint.useLiveAuthentication", "");
also this one.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:509: }
should we detect conflicts?
as in someone provided enough info for
multiple options?

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
File
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:198:
config.addKey("sharepoint.useLiveAuthentication", "");
add to overview.html

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:263:
password, scheduledExecutor, authenticationClient);
this code section seems similar to the one in SPA.
should it/can it be extracted out?

https://codereview.appspot.com/83730043/diff/40001/test/com/google/enterprise...
File test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java
(right):

https://codereview.appspot.com/83730043/diff/40001/test/com/google/enterprise...
test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java:263:

remove empty line.

[Tanmay Vartak, 2014-04-18 20:51:24]

essage=With code review comments and Authentication handler factory

[Tanmay Vartak, 2014-04-18 20:52:12]

On 2014/04/18 20:51:24, Tanmay Vartak wrote:
> essage=With code review comments and Authentication handler factory

something went wrong
 will upload new patch

[Tanmay Vartak, 2014-04-18 20:52:49]

With code review comments and Authentication handler factory

[Tanmay Vartak, 2014-04-18 20:54:01]

Implemented most of the code review comments

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:117:
public Builder (String sharePointUrl, String username,
On 2014/04/16 20:13:35, pjo wrote:
> s/r (/r(/

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:144:
public Builder setTrustLocation (String trustLocation) {
On 2014/04/16 20:13:35, pjo wrote:
> s/n (/n(/

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:150:
return new AdfsHandshakeManager(sharePointUrl, username,
On 2014/04/16 20:13:35, pjo wrote:
> is it ok if trustLocation or login are still null?

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:154: 
On 2014/04/16 20:13:35, pjo wrote:
> remove extra empty line

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:154: 
On 2014/04/16 20:13:35, pjo wrote:
> remove extra empty line

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:161: =
new HashMap<String, String>();
On 2014/04/16 20:13:35, pjo wrote:
> r u sure this line would be over80?

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:176: +
"&wctx=" + URLEncoder.encode(sharePointUrl + login,"UTF-8")
I have changed implementation. Default values will work as expected while custom
values in adaptor config.properties needs to be full Urls instead of relative
urls.
On 2014/04/16 20:13:35, pjo wrote:
> should we check somewhere earlier that sharePointUrl ends with "/"?
> 
> I'm not sure if it has to or not, just a thought.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:200: db =
dbf.newDocumentBuilder();
On 2014/04/16 20:13:35, pjo wrote:
> combine last two lines

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:212:
log.log(Level.FINER, "ADFS Authentication Token {0}", token);
This should be OK. There is no sensitive information.
On 2014/04/16 20:13:35, pjo wrote:
> is it OK to log this value? is it sensitive?
> just asking.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:238:
if(input == null) {
On 2014/04/16 20:13:35, pjo wrote:
> space before (

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
File
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:92:
return new LiveAuthenticationHandshakeManager(sharePointUrl, username,
On 2014/04/16 20:13:35, pjo wrote:
> should we check for "login" and stsendpoint being null?

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:124:
log.log(Level.FINER, "Live Authentication Token {0}", token);
Is OK. Not sensitive.
On 2014/04/16 20:13:35, pjo wrote:
> is this a sensitive value that can be logged?

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:135:

On 2014/04/16 20:13:35, pjo wrote:
> remove extra blank line

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:149:
private final Map<String, List<String>> headers;
My bad. Copied from SharePointAdaptor class. Not applicable removed.
On 2014/04/16 20:13:35, pjo wrote:
> i don't actually get what the comment is saying.
> what alternates?

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:153:
this.contents = contents;
On 2014/04/16 20:13:35, pjo wrote:
> check for nulls?

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:154:
this.headers = headers;
On 2014/04/16 20:13:35, pjo wrote:
> what do you think about making copy? not worth it
> because is only visible for testing?

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:162:
return headers;
On 2014/04/16 20:13:35, pjo wrote:
> return wrapped in unmodifiable?

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:449:
config.addKey("sts.login", "");
In diff code review CL, once we are OK with parameters and values
On 2014/04/16 20:13:35, pjo wrote:
> add these to overview.html in source directory pls.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451:
config.addKey("sharepoint.useLiveAuthentication", "");
Yes
On 2014/04/16 20:13:35, pjo wrote:
> also this one.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:495:
authenticationClient =  new SharePointFormsAuthenticationHandler(
On 2014/04/15 22:35:18, Tanmay Vartak wrote:
> I want to replace this with a Factory method to make writing unit tests easy.

Done.

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
File
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:198:
config.addKey("sharepoint.useLiveAuthentication", "");
Yes in different CL
On 2014/04/16 20:13:35, pjo wrote:
> add to overview.html

https://codereview.appspot.com/83730043/diff/40001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:263:
password, scheduledExecutor, authenticationClient);
Extracted out
On 2014/04/16 20:13:35, pjo wrote:
> this code section seems similar to the one in SPA.
> should it/can it be extracted out?

[pjo, 2014-04-18 21:18:15]

Miguel, please review this SharePoint CL.

Thank you

[mifern, 2014-04-21 18:12:20]

This CL seems to add support for Live authentication and ADFS authentication.

Can you also expand on the description to give me an idea on what you need to do
to add ADFS support.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:197:
return String.format(reqXML, escapeXml(stsendpoint),
escapeXml on escapes cdata. Can username and password contain "<" or "&" that
require cdata escaping?

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:245:
String escapeXml(String input) {
The name escapeXml does not seem appropriate. This is just doing cdata escaping.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:489: String
stsendpoint = config.getValue("sts.endpoint");
Same comments as SharePointUserProfileAdaptor.java.

Also, there is a log of code duplication between here and
SharePointUserProfileAdaptor.java. It seems like using a base class would be
prudent.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
File
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:204:
config.addKey("sharepoint.useLiveAuthentication", "");
So then shouldn't this be "false" by default instead of empty string.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:244:
String stsendpoint = config.getValue("sts.endpoint");
You should log this at Level.CONFIG after reading the value.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:253:
.newAdfsAuthentication(virtualServer, username, password, config);
You only need stsendpoint for ADFS? What about "sts.realm", "sts.trustLocation"
and "sts.login"? You're not reading or verifying those values.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:258:
authenticationHandler = new FormsAuthenticationHandler(username,
You should log some indicator of what authentication you're using.

[Tanmay Vartak, 2014-04-21 21:05:32]

Hi Miguel,

Thanks for your code review.
For your reference ADFS flow. (also applicable for Live authentication with
minor variations).
1. ADFS is a SAML implentation by Microsoft. SharePoint can be configured to
trust ADFS to authenticate a User and generating associated claims for User.
2. When User tries to access SharePoint secured with ADFS, user gets redirected
to ADFS endpoint (STSENDPOINT).
3. ADFS will validate user credentials and if credentials are valid, it will
return SAML authentication token which can be used to establish user identity by
SharePoint.
4. For Adaptor, AdfsHandshakeManager will request SAML token from ADFS using
HTTP post to configured STSENDPOINT.
5. In response, ADFS will return SAML Token. AdfsHandshakeManager will extract
this token from response.
5. AdfsHandshakeManager will do another HTTP Post to trust location using
extarcted token.
6. In response, SharePoint will include authentication cookies.
7. Authentication cookies will be used to make subsequent requests.
8. FormsAuthenticationHandler provides base framework to refresh authentication
cookies on regular interval.
9. Process flow for Live authentication is almost same with variation in "token
value"  and "HTTP Post" for obtaining cookie.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:197:
return String.format(reqXML, escapeXml(stsendpoint),
We can call this wrapXml or wrapCdata is thats sounds OK.

With CDATA we don't need to worry about any special chars such as & or <. Only
thing that we need to escape is ']]>'.

On 2014/04/21 18:12:20, mifern wrote:
> escapeXml on escapes cdata. Can username and password contain "<" or "&" that
> require cdata escaping?

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:489: String
stsendpoint = config.getValue("sts.endpoint");

Initially when I started with User profile adaptor, myself and Eric discussed
about having common base class but we decided to keep them separate for
simplicity with side effect of duplicating code.

We can still revisit that decision but I want to avoid it in this CL.

On 2014/04/21 18:12:20, mifern wrote:
> Same comments as SharePointUserProfileAdaptor.java.
> 
> Also, there is a log of code duplication between here and
> SharePointUserProfileAdaptor.java. It seems like using a base class would be
> prudent.

[Tanmay Vartak, 2014-04-21 21:11:43]

On 2014/04/21 21:05:32, Tanmay Vartak wrote:
> Hi Miguel,
> 
> Thanks for your code review.
> For your reference ADFS flow. (also applicable for Live authentication with
> minor variations).
> 1. ADFS is a SAML implentation by Microsoft. SharePoint can be configured to
> trust ADFS to authenticate a User and generating associated claims for User.
> 2. When User tries to access SharePoint secured with ADFS, user gets
redirected
> to ADFS endpoint (STSENDPOINT).
> 3. ADFS will validate user credentials and if credentials are valid, it will
> return SAML authentication token which can be used to establish user identity
by
> SharePoint.
> 4. For Adaptor, AdfsHandshakeManager will request SAML token from ADFS using
> HTTP post to configured STSENDPOINT.
> 5. In response, ADFS will return SAML Token. AdfsHandshakeManager will extract
> this token from response.
> 5. AdfsHandshakeManager will do another HTTP Post to trust location using
> extarcted token.
> 6. In response, SharePoint will include authentication cookies.
> 7. Authentication cookies will be used to make subsequent requests.
> 8. FormsAuthenticationHandler provides base framework to refresh
authentication
> cookies on regular interval.
> 9. Process flow for Live authentication is almost same with variation in
"token
> value"  and "HTTP Post" for obtaining cookie.
> 
>
https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
> File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
> (right):
> 
>
https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
> src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:197:
> return String.format(reqXML, escapeXml(stsendpoint),
> We can call this wrapXml or wrapCdata is thats sounds OK.
> 
> With CDATA we don't need to worry about any special chars such as & or <. Only
> thing that we need to escape is ']]>'.
> 
> On 2014/04/21 18:12:20, mifern wrote:
> > escapeXml on escapes cdata. Can username and password contain "<" or "&"
that
> > require cdata escaping?
> 
>
https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
> File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
> (right):
> 
>
https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
> src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:489:
String
> stsendpoint = config.getValue("sts.endpoint");
> 
> Initially when I started with User profile adaptor, myself and Eric discussed
> about having common base class but we decided to keep them separate for
> simplicity with side effect of duplicating code.
> 
> We can still revisit that decision but I want to avoid it in this CL.
> 
> On 2014/04/21 18:12:20, mifern wrote:
> > Same comments as SharePointUserProfileAdaptor.java.
> > 
> > Also, there is a log of code duplication between here and
> > SharePointUserProfileAdaptor.java. It seems like using a base class would be
> > prudent.

STSRELAM : This is an identifier used by ADFS to identify relying party (in this
case particular SharePoint application).

[mifern, 2014-04-21 21:42:19]

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:197:
return String.format(reqXML, escapeXml(stsendpoint),
escapeCdata sounds like a good compromise.

On 2014/04/21 21:05:32, Tanmay Vartak wrote:
> We can call this wrapXml or wrapCdata is thats sounds OK.
> 
> With CDATA we don't need to worry about any special chars such as & or <. Only
> thing that we need to escape is ']]>'.
> 
> On 2014/04/21 18:12:20, mifern wrote:
> > escapeXml on escapes cdata. Can username and password contain "<" or "&"
that
> > require cdata escaping?
>

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
File
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactory.java
(right):

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactory.java:28:
String username, String password, Config config) throws IOException;
Passing in a config does not seem like the right approach here. The adaptor
should be reading the config values and validating them.

https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise...
File test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java
(right):

https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise...
test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java:264:
AdfsHandshakeManager manager = new AdfsHandshakeManager.Builder(
You also need a test where you escape "<![CDATA[something]]>".

https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise...
test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java:267:
assertEquals("<![CDATA[This is simple]]>",
This test should include the two characters that are needed for cdata, "&" and
"<".

https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise...
File
test/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptorTest.java
(right):

https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise...
test/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptorTest.java:233:
,authenticatioFactory);
For consistency with the other tests, the comma should be on the previous line.

[JohnL, 2014-04-21 22:21:19]

https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise...
File
test/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptorTest.java
(right):

https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise...
test/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptorTest.java:80:
private AuthenticationHandlerFactory authenticatioFactory
"authenticatioFactory" => "authenticationFactory"

[Tanmay Vartak, 2014-04-22 18:24:38]

With code review comments implemented

[Tanmay Vartak, 2014-04-22 18:25:05]

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:197:
return String.format(reqXML, escapeXml(stsendpoint),
On 2014/04/21 21:42:20, mifern wrote:
> escapeCdata sounds like a good compromise.
> 
> On 2014/04/21 21:05:32, Tanmay Vartak wrote:
> > We can call this wrapXml or wrapCdata is thats sounds OK.
> > 
> > With CDATA we don't need to worry about any special chars such as & or <.
Only
> > thing that we need to escape is ']]>'.
> > 
> > On 2014/04/21 18:12:20, mifern wrote:
> > > escapeXml on escapes cdata. Can username and password contain "<" or "&"
> that
> > > require cdata escaping?
> > 
> 

Done.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:245:
String escapeXml(String input) {
On 2014/04/21 18:12:20, mifern wrote:
> The name escapeXml does not seem appropriate. This is just doing cdata
escaping.

Done.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
File
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactory.java
(right):

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactory.java:28:
String username, String password, Config config) throws IOException;
Done. Replaced with ADFS specific parameters.
On 2014/04/21 21:42:20, mifern wrote:
> Passing in a config does not seem like the right approach here. The adaptor
> should be reading the config values and validating them.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
File
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:204:
config.addKey("sharepoint.useLiveAuthentication", "");
On 2014/04/21 18:12:20, mifern wrote:
> So then shouldn't this be "false" by default instead of empty string.

Done.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:244:
String stsendpoint = config.getValue("sts.endpoint");
On 2014/04/21 18:12:20, mifern wrote:
> You should log this at Level.CONFIG after reading the value.

Done.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:253:
.newAdfsAuthentication(virtualServer, username, password, config);
On 2014/04/21 18:12:20, mifern wrote:
> You only need stsendpoint for ADFS? What about "sts.realm",
"sts.trustLocation"
> and "sts.login"? You're not reading or verifying those values.

Done.

https://codereview.appspot.com/83730043/diff/80001/src/com/google/enterprise/...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:258:
authenticationHandler = new FormsAuthenticationHandler(username,
On 2014/04/21 18:12:20, mifern wrote:
> You should log some indicator of what authentication you're using.

Done.

https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise...
File test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java
(right):

https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise...
test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java:264:
AdfsHandshakeManager manager = new AdfsHandshakeManager.Builder(
On 2014/04/21 21:42:20, mifern wrote:
> You also need a test where you escape "<![CDATA[something]]>".

Done.

https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise...
test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java:267:
assertEquals("<![CDATA[This is simple]]>",
On 2014/04/21 21:42:20, mifern wrote:
> This test should include the two characters that are needed for cdata, "&" and
> "<".

Done.

https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise...
File
test/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptorTest.java
(right):

https://codereview.appspot.com/83730043/diff/80001/test/com/google/enterprise...
test/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptorTest.java:80:
private AuthenticationHandlerFactory authenticatioFactory
On 2014/04/21 22:21:20, John L wrote:
> "authenticatioFactory" => "authenticationFactory"

Done.

[pjo, 2014-04-24 00:20:23]

A few comments.  Thank you

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:247:
return input;
Does returning null make sense? How is that going to go into the string?  Should
it be fatal?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactory.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactory.java:22:
public interface AuthenticationHandlerFactory {
Please annotate class:
# Can an authentication handler provided be reused?
# Why do they take different amounts of parameters?
# Are they thread safe?
# Do they need to be cleaned up?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:36:
implements AuthenticationHandlerFactory{
s/y{/y {/

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:87:
+ "/_vti_bin/Authentication.asmx").toString();
one too much indent

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:452: // When
running against ADFS authentication, set this to relam value.
relam? is it a realm?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:453:
config.addKey("sts.relam", "");
relam?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:457:
config.addKey("sharepoint.useLiveAuthentication", "false");
The sequence of attempted authentications, the sequence of
conditions and steps, will need to be carefully spelled
out in documentation.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:479: String
stsrelam = config.getValue("sts.relam");
if it is a realm then please change throughout

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:200:
config.addKey("sts.relam", "");
realm?  throughout

[mifern, 2014-04-24 04:00:37]

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:54:
return URI.create(endpoint).toASCIIString();
So UNICODE characters will be replaced by ? and lost. That would mean the
endpoint would be invalid then.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:57:
private static URI spUrlToUri(String url) throws IOException {
So you're assuming here that the url does not start with "http://"?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:57:
private static URI spUrlToUri(String url) throws IOException {
I don't understand this method. Why create a URI then split it then encode part
of it and then put it back together. Wouldn't it be simpler to encode the part
that needs to be encoded and then generate the URL?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:66:
String host = parts[0] + "/" + parts[1] + "/" + parts[2];
You don't need the host variable. Just use:
URI hostUri = URI.create(parts[0] + "/" + parts[1] + "/" + parts[2]);

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:67:
if (sharePointUrl == null || username == null || password == null
These should be precondition checks so that you get a better message if one of
these is null.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:82:
this.login = login;
If login can't be null, then you should have a precondition check.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:87:
this.stsendpoint = stsendpoint;
If stsendpoint can't be null, then you should have a precondition check.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:92:
if (Strings.isNullOrEmpty(stsendpoint)
These check are not needed if handled above.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:141:
String url = login;
url local variable is not needed.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:147:
String cookie = postResponse.getPostResponseHeaderField("Set-Cookie");
Just return, no need for cookie local variable.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:48:
if (samlClient == null) {
Precondition check?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:60:
log.log(Level.WARNING, "Empty SAML Token.");
What would cause an empty token? Is there an error code? What action can the
user take?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:67:
log.log(Level.FINE, "Authentication Cookie {0}", cookie);
So it's OK to log the cookie but not the token?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:107:
url = new URL(url.toURI().toASCIIString());
I don't think this is right. You could lose some characters. Maybe you to encode
them using UTF-8.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:139:
if (inputStream != null) {
Can either the stream be null?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:499:
AuthenticationHandler authenticationClient;
You should log what authentication is being used.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:504: &&
!Strings.isNullOrEmpty(stsrelam)) {
Just stsendpoint and stsrelam being non-empty is enough for ADFS?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:251:
AuthenticationHandler authenticationClient;
This like the same code as SharePointAdaptor.java just with more logging. Add
the same logging to SharePointAdaptor.java.

[pjo, 2014-04-24 17:15:56]

Thank you

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:67:
if (sharePointUrl == null || username == null || password == null
On 2014/04/24 04:00:38, mifern wrote:
> These should be precondition checks so that you get a better message if one of
> these is null.

Let's not do it in this CL. This project has been
using == null and it's OK to stick to that nearby
standard. If we want to change to Preconditions let's
make a task and do it wholesale across the adaptor.

Thank you

[ondrejnovak, 2014-04-25 09:19:32]

Some small nit picks from me, otherwise looks good

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:142:
this.login = sharePointUrl + DEFAULT_LOGIN;
Can you check, if this will this work when sharePointUrl ends with trailing
slash?
http://sp.example.com//_layouts/Authenticate.aspx"

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:170:
Map<String, String> requestProperties = new HashMap<String, String>();
s/requestProperties/requestHeaders

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:188:
Map<String, String> requestProperties = new HashMap<String, String>();
headers

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:212: =
document.getElementsByTagNameNS("*","RequestSecurityTokenResponse");
why are you using * - you should use the exact namespace name

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:121:
= document.getElementsByTagNameNS("*","BinarySecurityToken");
Why the asterisk? Why don't you use the exact namespace name.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:101:
public PostResponseInfo issuePostRequest(URL url,
Can you add logging of the whole HTTP request, response here

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:450: // When
running against ADFS authentication, set this to ADFS endpoint.
Can you add the defaults as comment here

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:198:
// When running against ADFS authentication, set this to ADFS endpoint.
Can you put here the defaults as comments

[ejona, 2014-04-25 20:58:43]

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451:
config.addKey("sts.endpoint", "");
Should these new configuration values be prefixed with "sharepoint."?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:503: } else
if (!Strings.isNullOrEmpty(stsendpoint)
stsendpoint and stsrelam will never be null.

[Tanmay Vartak, 2014-04-25 21:14:02]

On 2014/04/25 20:58:43, ejona wrote:
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
> (right):
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451:
> config.addKey("sts.endpoint", "");
> Should these new configuration values be prefixed with "sharepoint."?
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:503: }
else
> if (!Strings.isNullOrEmpty(stsendpoint)
> stsendpoint and stsrelam will never be null.

Hi Eric,

Thanks for code review. Your help is really appreciated. Please give your
feedback for entire code review. :)

sts.endpoint is "Secure token service endpoint". This something outside the
SharePoint. SharePoint just rely on STS Endpoint to authenticate user and
provide necessary claims.
sharepoint.endpoint will be confusing with SharePoint url.

I will replace Strings.IsNullOrEmpty check with "".equals check.

Regards,
Tanmay

[Tanmay Vartak, 2014-04-25 21:20:07]

On 2014/04/25 09:19:32, ondrejnovak wrote:
> Some small nit picks from me, otherwise looks good
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
> (right):
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:142:
> this.login = sharePointUrl + DEFAULT_LOGIN;
> Can you check, if this will this work when sharePointUrl ends with trailing
> slash?
> http://sp.example.com//_layouts/Authenticate.aspx%22
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:170:
> Map<String, String> requestProperties = new HashMap<String, String>();
> s/requestProperties/requestHeaders
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:188:
> Map<String, String> requestProperties = new HashMap<String, String>();
> headers
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:212: =
> document.getElementsByTagNameNS("*","RequestSecurityTokenResponse");
> why are you using * - you should use the exact namespace name
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> File
>
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java
> (right):
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
>
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:121:
> = document.getElementsByTagNameNS("*","BinarySecurityToken");
> Why the asterisk? Why don't you use the exact namespace name.
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> File
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java
> (right):
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
>
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:101:
> public PostResponseInfo issuePostRequest(URL url,
> Can you add logging of the whole HTTP request, response here
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
> (right):
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:450: //
When
> running against ADFS authentication, set this to ADFS endpoint.
> Can you add the defaults as comment here
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
> File
> src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java
> (right):
> 
>
https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
>
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:198:
> // When running against ADFS authentication, set this to ADFS endpoint.
> Can you put here the defaults as comments

Hi Ondra,

Thanks for review.

I verified that double slash // works here even though chances of having // in
url are low. During init, Adaptor will trim trailing '/'. So virtual server url
will be without trailing slash. Only if you specify Virtual server url with 2
trailing slashes e.g. "http://sharepoint.exampl.com//" then we will generate
login url as "http://sharepoint.exampl.com//_layouts/Authentication.aspx" and it
works fine.

Regards,
Tanmay

[ejona, 2014-04-25 21:57:29]

I may find the time to give it a high-level look-over. Based on the email
conversation, it seemed I would need to look at the code more to comment.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451:
config.addKey("sts.endpoint", "");
On 2014/04/25 20:58:44, ejona wrote:
> Should these new configuration values be prefixed with "sharepoint."?

I was meaning "sharepoint.sts.endpoint". "sharepoint" would be there because
that is the adaptor you are providing configuration for. I'm not certain you
want the sharepoint there, but I would lean toward having it. Just something to
consider.

[pjo, 2014-04-26 02:21:07]

After looking at body of FormsAuthenticationHandler it looks close to template
method <http://en.wikipedia.org/wiki/Template_method_pattern> (without the
subclass part).

So, here is a proposal:
  # Keep FormsAuthenticationHandler   # Remove
FormsAuthenticationHandler.AuthenticationHandler
  # Add abstract `AuthenticationResult authenticate()'
to FormsAuthenticationHandler
  # Make SamlAuthenticationHandler and
        SharePointFormsAuthenticationHandler subclass
        FormsAuthenticationHandler   # Remove boolean isFormsAuthentication
()because
     the name makes refers to instance, not to SP server. Instead
     have start return or throw fact that server doens't support
     forms-authn and keep state in adaptor.

Alternate proposal:
  # Rename AuthenticationHandler interface to AuthenticationClient
  # Continue to have FormsAuthencationHandler and have it accept
     instance of AuthencationClient
  # Remove boolean isFormsAuthentication()because
     the name makes refers to instance, not to SP server. Instead
     have start return or throw fact that server doens't support
     forms-authn and keep state in adaptor.


The reason I'd like to make some changes is:
  # AuthnHandler and FormsAuthnHandler as names don't communicate
      their relationship
  # isFormsAuthentcation() makes it seem like it's about handler,
       but it really is about the SP server, and that's confusing

Thank you very much,
PJ





- technology's compounding interest
-


On Fri, Apr 25, 2014 at 2:57 PM, <ejona@google.com> wrote:

> I may find the time to give it a high-level look-over. Based on the
> email conversation, it seemed I would need to look at the code more to
> comment.
>
>
>
> https://codereview.appspot.com/83730043/diff/100001/src/
> com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
> File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
> (right):
>
> https://codereview.appspot.com/83730043/diff/100001/src/
> com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java#newcode451
> src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451:
> config.addKey("sts.endpoint", "");
> On 2014/04/25 20:58:44, ejona wrote:
>
>> Should these new configuration values be prefixed with "sharepoint."?
>>
>
> I was meaning "sharepoint.sts.endpoint". "sharepoint" would be there
> because that is the adaptor you are providing configuration for. I'm not
> certain you want the sharepoint there, but I would lean toward having
> it. Just something to consider.
>
> https://codereview.appspot.com/83730043/
>

[Tanmay Vartak, 2014-04-29 18:42:55]

With code review comments and restructuring Authentication Handler

[Tanmay Vartak, 2014-04-29 18:43:31]

I have implemented most of the code review comments.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:142:
this.login = sharePointUrl + DEFAULT_LOGIN;
This works
On 2014/04/25 09:19:33, ondrejnovak wrote:
> Can you check, if this will this work when sharePointUrl ends with trailing
> slash?
> http://sp.example.com//_layouts/Authenticate.aspx%22

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:170:
Map<String, String> requestProperties = new HashMap<String, String>();
On 2014/04/25 09:19:33, ondrejnovak wrote:
> s/requestProperties/requestHeaders

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:188:
Map<String, String> requestProperties = new HashMap<String, String>();
On 2014/04/25 09:19:33, ondrejnovak wrote:
> headers

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:212: =
document.getElementsByTagNameNS("*","RequestSecurityTokenResponse");
Done. Should we fallback to * if default namespace
"http://schemas.xmlsoap.org/ws/2005/02/trust" is not working?
On 2014/04/25 09:19:33, ondrejnovak wrote:
> why are you using * - you should use the exact namespace name

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:247:
return input;
Modified to return empty string.
On 2014/04/24 00:20:23, pjo wrote:
> Does returning null make sense? How is that going to go into the string? 
Should
> it be fatal?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:54:
return URI.create(endpoint).toASCIIString();
This piece of code is borrowed from existing SharePoint Adaptor code and works
fine with Unicode characters.
On 2014/04/24 04:00:38, mifern wrote:
> So UNICODE characters will be replaced by ? and lost. That would mean the
> endpoint would be invalid then.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:57:
private static URI spUrlToUri(String url) throws IOException {
Again this one taken from SharePoint Adaptor code.
This works with https:// as well. In fact to use ADFS, SharePoint needs to be
https://

Why are we doing this ?
Consider following url, "https://sharepoint.example.com/sites/My Site
Collection". In this url host "https://sharepoint.example.com" is properly
encoded but path "/sites/My Site Collection" is not. So this method is creating
host uri "https://sharepoint.example.com" and path uri
"/sites/My%20Site%Collection" and 
get combine output as
"https://sharepoint.example.com/sites/My%20Site%Collection".

This conversion is more applicable for urls returned by SharePoint where host is
already encode but path is not. See comment by Eric about SharePoint being silly
here. :)

I moved existing code from SharePoint Adaptor class to here so that it can be
reused between SharePoint adaptor and user profile adaptor.

We might need to revisit this code and some other places in Adaptor for Unicode
handling as part of another CL.
On 2014/04/24 04:00:38, mifern wrote:
> So you're assuming here that the url does not start with "http://"?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AuthenticationHandlerFactoryImpl.java:87:
+ "/_vti_bin/Authentication.asmx").toString();
On 2014/04/24 00:20:23, pjo wrote:
> one too much indent

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:82:
this.login = login;
As mentioned by PJ, keeping it consistent with existing code.
On 2014/04/24 04:00:38, mifern wrote:
> If login can't be null, then you should have a precondition check.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:87:
this.stsendpoint = stsendpoint;
As mentioned by PJ, keeping it consistent with existing code.
On 2014/04/24 04:00:38, mifern wrote:
> If stsendpoint can't be null, then you should have a precondition check.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:92:
if (Strings.isNullOrEmpty(stsendpoint)
On 2014/04/24 04:00:38, mifern wrote:
> These check are not needed if handled above.

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:121:
= document.getElementsByTagNameNS("*","BinarySecurityToken");
On 2014/04/25 09:19:33, ondrejnovak wrote:
> Why the asterisk? Why don't you use the exact namespace name.

Done. Same connect applicable as in ADFS

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:141:
String url = login;
On 2014/04/24 04:00:38, mifern wrote:
> url local variable is not needed.

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:147:
String cookie = postResponse.getPostResponseHeaderField("Set-Cookie");
On 2014/04/24 04:00:38, mifern wrote:
> Just return, no need for cookie local variable.

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:60:
log.log(Level.WARNING, "Empty SAML Token.");
As per discussion with PJ, I am changing code to throw IO exception that will
not fallback to Windows Integrated Authentication. We are here because user
wants to use Live authentication.
On 2014/04/24 04:00:38, mifern wrote:
> What would cause an empty token? Is there an error code? What action can the
> user take?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:67:
log.log(Level.FINE, "Authentication Cookie {0}", cookie);

Logging @ FINE. Should be OK.
On 2014/04/24 04:00:38, mifern wrote:
> So it's OK to log the cookie but not the token?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:107:
url = new URL(url.toURI().toASCIIString());

Again existing code.
On 2014/04/24 04:00:38, mifern wrote:
> I don't think this is right. You could lose some characters. Maybe you to
encode
> them using UTF-8.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:139:
if (inputStream != null) {
As per documentation Error stream can be null if there is an error but server
dont have any data to report about it.
On 2014/04/24 04:00:38, mifern wrote:
> Can either the stream be null?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:450: // When
running against ADFS authentication, set this to ADFS endpoint.
On 2014/04/25 09:19:33, ondrejnovak wrote:
> Can you add the defaults as comment here

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:451:
config.addKey("sts.endpoint", "");
On 2014/04/25 21:57:29, ejona wrote:
> On 2014/04/25 20:58:44, ejona wrote:
> > Should these new configuration values be prefixed with "sharepoint."?
> 
> I was meaning "sharepoint.sts.endpoint". "sharepoint" would be there because
> that is the adaptor you are providing configuration for. I'm not certain you
> want the sharepoint there, but I would lean toward having it. Just something
to
> consider.

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:452: // When
running against ADFS authentication, set this to relam value.
On 2014/04/24 00:20:23, pjo wrote:
> relam? is it a realm?

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:453:
config.addKey("sts.relam", "");
On 2014/04/24 00:20:23, pjo wrote:
> relam?

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:457:
config.addKey("sharepoint.useLiveAuthentication", "false");
Noted down.
On 2014/04/24 00:20:23, pjo wrote:
> The sequence of attempted authentications, the sequence of
> conditions and steps, will need to be carefully spelled
> out in documentation.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:479: String
stsrelam = config.getValue("sts.relam");
On 2014/04/24 00:20:23, pjo wrote:
> if it is a realm then please change throughout

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:503: } else
if (!Strings.isNullOrEmpty(stsendpoint)
On 2014/04/25 20:58:44, ejona wrote:
> stsendpoint and stsrelam will never be null.

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:504: &&
!Strings.isNullOrEmpty(stsrelam)) {
yes.
On 2014/04/24 04:00:38, mifern wrote:
> Just stsendpoint and stsrelam being non-empty is enough for ADFS?

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:198:
// When running against ADFS authentication, set this to ADFS endpoint.
On 2014/04/25 09:19:33, ondrejnovak wrote:
> Can you put here the defaults as comments

Done.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:200:
config.addKey("sts.relam", "");
On 2014/04/24 00:20:23, pjo wrote:
> realm?  throughout

Done.

[Tanmay Vartak, 2014-04-29 18:53:13]

As per recommendation by PJ, we can remove isFormsAuthentication method. Even
though actual code changes are small, need significant changes in unit tests. As
this CL is getting larger and complex, I will send follow up CL for removing
isFormAuthentication.

[ejona, 2014-04-29 19:55:34]

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:107:
url = new URL(url.toURI().toASCIIString());
On 2014/04/24 04:00:38, mifern wrote:
> I don't think this is right. You could lose some characters. Maybe you to
encode
> them using UTF-8.

Take a look at the toASCIIString() documentation. It converts Unicode characters
to UTF-8 encoded bytes that are %-encoded. So it actually maintains Unicode
characters.

This code actually is to support Unicode, because Java is broken and will send
Unicode characters as text instead of %-encoded, which is a huge no-no.

[pjo, 2014-04-30 20:46:02]

LGTM.  Thank you.

Please:
(1) fix these nits
(2) double check that not logging sensitive info
(3) double check no "relam" anywhere

Say if you'd like another look.

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/100001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:201:
String extractToken(String tokenResponse) throws IOException {
private or Visible for testing?

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:52:
public class AdfsHandshakeManager implements SamlHandshakeManager {
annotate with javadoc

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:217:
throw new IOException("ADFS token not available in response");
Consider only throwing.

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:219: Node
responseToken = nodes.item(0);
we know it's the first one?

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManager.java:221:
log.log(Level.FINER, "ADFS Authentication Token {0}", token);
Is this OK to log?

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/FormsAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/FormsAuthenticationHandler.java:65:
abstract boolean isFormsAuthentication() throws IOException;
Put TODO to remove it.

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java
(right):

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:94:
|| Strings.isNullOrEmpty(login)) {
i think fits on one line

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManager.java:132:
log.log(Level.FINER, "Live Authentication Token {0} namespace = {1} ", new
Object[] {token, n.getNamespaceURI()});
split this line

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:72:
authenticationHandler.samlClient = samlClient;
pass as ctor parameter

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:80: 
remove blank line

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:81:
log.log(Level.FINE, "Fetching SAML Token using {0}", samlClient);
Does samlClient have a good toString()?

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SamlAuthenticationHandler.java:89:
log.log(Level.FINER, "Authentication Cookie {0}", cookie);
Should we log the cookie?

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
File src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointAdaptor.java:454: // When
running against ADFS authentication, set this to relam value.
s/relam/realm/

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/SharePointFormsAuthenticationHandler.java
(right):

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointFormsAuthenticationHandler.java:71:
authenticationHandler.authenticationClient = authenticationClient;
pass to ctor

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
File
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java
(right):

https://codereview.appspot.com/83730043/diff/120001/src/com/google/enterprise...
src/com/google/enterprise/adaptor/sharepoint/SharePointUserProfileAdaptor.java:200:
// When running against ADFS authentication, set this to relam value.
s/relam/realm/

https://codereview.appspot.com/83730043/diff/120001/test/com/google/enterpris...
File test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java
(right):

https://codereview.appspot.com/83730043/diff/120001/test/com/google/enterpris...
test/com/google/enterprise/adaptor/sharepoint/AdfsHandshakeManagerTest.java:257:
username, password, new ScheduledThreadPoolExecutor(1), manager).build();
over80

https://codereview.appspot.com/83730043/diff/120001/test/com/google/enterpris...
File
test/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManagerTest.java
(right):

https://codereview.appspot.com/83730043/diff/120001/test/com/google/enterpris...
test/com/google/enterprise/adaptor/sharepoint/LiveAuthenticationHandshakeManagerTest.java:182:
"username@domain", "password&123", new ScheduledThreadPoolExecutor(1),
manager).build();
over80

https://codereview.appspot.com/83730043/diff/120001/test/com/google/enterpris...
File test/com/google/enterprise/adaptor/sharepoint/SharePointAdaptorTest.java
(right):

https://codereview.appspot.com/83730043/diff/120001/test/com/google/enterpris...
test/com/google/enterprise/adaptor/sharepoint/SharePointAdaptorTest.java:2093:
public <T extends EndpointReference> T getEndpointReference(Class<T> clazz) {
over80